The present invention relates to a system and method for identifying a user or device and, optionally, for conducting transactions between the user or device and a third party, for example, by way of a telephone connection or an electronic computer system such as the Internet.
Various systems are know for conducting electronic transactions in a more or less secure manner over a telecommunications link or the like. One well known system is known as electronic funds transfer at point-of-sale (EFTPOS), in which a user is issued with a credit or debit card bearing a unique identification number, usually embossed on the card in human-readable form and also encoded on a machine-readable magnetic strip on the reverse of the card. For further identification purposes, the card typically includes a space for a user permanently to include his or her signature. In use, when a user wishes to make a purchase in, for example, a retail store, he or she presents the debit or credit card to a store employee. The card is then swiped through a card reader, and information relating to the identity of the card, the identity of the retail store and the value of the goods or services being purchases is transmitted by way of a telephone connection to a remote computer server operated by the card issuer (normally a bank or suchlike). The remote computer server checks that the user's card account contains sufficient funds or credit to cover the proposed transaction, checks that the user's card account is currently operational (for example, to check that the card has not been reported stolen), and then issues a confirmation signal back to the card reader to indicate that the transaction may be authorized. The store employee must then obtain a specimen of the user's signature and compare this with the signature on the reverse of the card so as to check the identity of the user. If the signatures appear to match, the store employee operates the card reader to complete the transaction, and the funds required to cover the transaction are then electronically transferred from the user's card account to the retail store. If the signatures do not appear to match, then the store employee may request additional proof of identification before authorizing the transaction, or may simply refuse the transaction and retain the user's card, which may have been stolen, thereby preventing any unauthorized transfer of funds. This system is open to fraudulent abuse, since it is possible for a card to be stolen and for a thief to forge the signature of an authorized user.
In a development of this system, a card user may be issued with a personal identification number (PIN), which is usually a four digit code, and which is theoretically known only to the user and to the card issuer. Instead of or in addition to providing a specimen of his or her signature at the point-of-sale, the card user is required to enter his or her PIN into the card reader, and this information is transmitted to the remote computer server together with the card and retail store identification data and data regarding the value of the transaction. By providing an extra identification check by way of the PIN, this system helps to prevent fraud by forgery of signatures, but is still not completely secure because the PIN does not change between transactions, and may therefore be intercepted together with card identification data when being transmitted between the card reader and the remote server. Furthermore, it is possible for a thief to observe a user entering his or her PIN into a card reader and to remember the PIN. If the thief is also able to obtain card identification details, for example, from a discarded till receipt or through conspiracy with the store employee, it is a simple matter to produce a fake card including all the appropriate identification information for later fraudulent use, or even to rob the authorized card user of his or her card.
The Protocol of the present invention is currently the only identity verification solution available that can be used across all platforms, using a common user interface. A number of other attempts to solve the problem of identity verification are currently available and include Public Key Infrastructure (PKI), SMART Cards, and biometrics.
A Public Key Infrastructure is a combination of hardware and software products, policies and procedures. PKI provides the basic security required to carry out electronic business so that users, who do not know each other, or are widely distributed, can communicate securely through a chain of trust. PKI is based on digital IDs known as ‘digital certificates’ which act like ‘electronic passports’ and bind the user's digital signature to his or her public key. The PKI approach is only applicable for Internet or other transactions that use a computer because the complexity of the software at the users' end of the transaction requires significant computing resources. The PKI approach is not well suited to high volume transaction processing because of this complexity.
Smart Cards are a response to the problem of credit/debit card fraud. Smart Cards are cards that have a microchip embedded within the card which enables personal details about the cardholder to be stored securely on the card, which can then be used to verify the identity of the person using the card. The Smart Card system relies upon there being a Smart Card reading apparatus at the point of sale. Currently, few high street merchants have invested in such equipment, and recent industry estimates expect a hybrid smart card/magnetic strip environment for the next 10-15 years. In addition, smaller or independent retailers find the cost of such equipment is a deterrent to uptake. Few Smart Card systems address the problem of “card not present” fraud such as e-commerce, m-commerce, interactive TV and telephone order unless the consumers invest in Smart-Card readers for the home. Similarly, any Smart Card can be copied (“skimmed/cloned”) and can subsequently be used fraudulently in card not present situations. Most major card issuers have plans to roll out such Smart Cards within the next few years, although the costs of the equipment, the cards themselves and the availability of the chips may delay this process. The present invention has been designed to be able to act as a security overlay to such Smart Card systems and can make any transaction as secure as those for which the Smart Cards are designed.
A number of companies are currently developing biometric solutions to the problem of cardholder verification. The Biometric systems can use fingerprints, voice recognition, retinal scans or tissue samples to positively identify the cardholder. Similar to smart cards these biometric systems would require complex and costly equipment at the point of sale and would not provide any protection against fraud in card not present situations.